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I 1 ORMati °n T^^ologV Director of white house 

i: SECURITY f 

OFF JCES ^ °CISO AND OA OCIO MUST REMAIN INDEPENDENT 
U//FQUQ) yj. 

incident tl *? I H^' ECUrily °ffioer^OCKf v ° f the Presi dent (HOP), the Office of ^ e ^ t y 
Comm ’ an ^ ,s res Pt>nsibI e for th " *° Was . establishe < 1 in 2015 as a response to a maj , * Q y 
unity (PITC) n «f„ T c information security of the Presidential Information e . 

^2015, prior * thc^r u CCOrding to a US Intelligence Community (USIC) ass^n^ 

(D/WHIT) and CISO ™ , b lshment of the Director of White House Information Techno & 

I and J defined by a “lack of H**’ thC PITC was “operating ineffectively under disparate w 

'Tquirements sonir't ear governance roles, responsibilities, and relationship p . _ «i 

furthermore 'the and authorization, acquisition, and technologyroles and 

authorities are m * u ana ^ s ^ s states that “it is imperative that [the D/WHIT and ^ military, 
and dinlormt* 5- ' established and codified,” 2 The nation’s most critical intelligence, 

therefn \ 1C f ormation passes through the PITC network, 3 and the security o ^ 
n ha s global implications. It is the responsibility of the OCISO to "assesses the nsk _ 

ni u e o ^ ^ arm resulting from unauthorized access, use, disclosure, disruption* moci ic ^ 
oi eslruction oi information and information systems that support the operations and asse s 

the President. 4 


(U//FOUO) Since 2015, the OCISO has significantly matured the information security posture o 
the EOP and built a robust cyber security program, insider threat program, user awareness 
program, and digital forensics unit from the ground up. The OCISO has established a security- 
first" culture, with multiple teams working to protect the PITC network and the devices and 
personnel of all EOP components - including the White House Office, National Security Council, 
i IS Trade Representative, Office of Management and Budget, and the Office of Administration - 
no matter where in the world EOP staff are traveling. Under the direction of the OCISO, the White 
House Threat Intelligence, White House Computer Network Defense, Data Loss Prevention, and 
Information Assurance teams work to protect the PITC network from sophisticated nation-state 
cyber intrusion sets, insider threats, and the compromise of sensitive information. These teams 
support all EOP components by monitoring nation-state intrusion sets and implementing defensive 
countermeasures on the network; providing 24/7 network and email monitoring; proactively 
identif ying and investigating leaks of sensitive information, such as the President’s movements 
and schedule, which have a direct impact on his physical security; authoring technical threat 
memos and guidance to support PO ! US, VPOTUS, APNSA,and other VIP delegations travclino 
outside the contiguous United States (OCONUS); briefing senior delegations and PITP „ - ^ 
on the lechnical threat environment in foreign countries; traveling OCONl 1<5 w t ’ ar [ ners 
locations to provide on-site cyber intelligence and network defense simnor.. .. ° • hlgh ‘ ,hrcat 
House Information Technology-issued electronic devices on foreign tra l"’ ! \ Uthonzm S White 
awareness and onboarding briefings, as well as personalized Cvber H • ““ P rov *ding cyber 

- M >giene Reviews, for senio, 
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E0p > OCISO ..^mbUBn «-J““ S“‘p"“S 

re Portin e ch ^ the CI ° and CISO^-^ 7rather than throu & h 311 ° CI ?' rea son, wlth tVtween 

0n 8 . ^ am S and dirertn Positions are separated for precisely thi^ t T; n tei" eS ‘ P ISO 
nnf 231,01,81 OCtSO aid Duc >° ‘he potential for conflicts 0 OCISO 

pendence for the financi 1 Positions, the Sarbanes-Oxley Act ( nt primary re ~j cts 

. OI separating OCISO „ w, sce 101 un der its "separation of duty” requirei t , on al . , c 

between keeping svs,? m d 00,0 Po^fons within organizations (OCISO), 

need for the OCISO S tLllln i n 8 (OCIO) and lowering information tecta 0 physical sec 

human ***** to %dfo 

malicious insid ^ a , counse f and other departments; the need let urA iew; the n 
“solvTnroWem! ’ those '"™lved in IT and under the OCIO. progf^^ 

legal r P ... without technology ” for example via educational and a . , egr ity, such as SO • 

Arr „ m ' surrounding conflict of interest which mandate security ' J^foent research 

H , ‘" 8 0 a 2017 survey from the Ponemon Institute, which conducts iP^ repot t direct y 

ata protection, information technology, and the threat landscape, 65 /4 of ^ iT-security 
senior executives, and 68% of organizations now give CISOs the final execu uve4evei 

spending. Furthermore, 69% of respondents consider the appointmen ^ governance 

security leader with enterprise-wide responsibility as an organization s m * s a best-pi actice 

practice. 7 ' 10 This elevation of the OCISO to an executive-level post 
recommended by leading security 7 researchers since at least 1997. 

and capabilities for the 

(U//FOUO) As the White House has matured its “security-first” processes ndent entity - 

HOP and the PITC networks, the OCISO has been formalizeed ■as _ ma o n itude of harm 

responsible for the management of information security, assessing e _ products and 

resulting from unauthorized access, and independently nsib fo for providing this 

services, regardless of internal pressures, hnportantty, foeO p W hite House Military 

security function for all EOP components and PITC 0 A. This OCISO 

Office, the ^ access to EOP executive leadership - demonstrates 

°n Ve wh mHotse’s commitment for security, and is critical for the protection of the PITC network 
r K kith hiuhiv sophisticated nation-state actors and from insider threats. As such, it is imperative 
u° m ^nriSO y rem P ain able to assess risk to the EOP in a holistic manner which is independent of 
lh nriO ind other internal pressures, which can incentivize delivering products quickly to meet 
the OU s hortcutting security considerations. Placing this office under the Office of 

customer nee _ office of the Chief Information Officer (OA OCIO) would create an 

Adrmmsia ^ a i eve i 0 f n S k for the EOP that is diametrically opposed to my 

operation^ protect t hi s nation^ most critical information, networks, and personnel. 
I T P ° I )ver it is my professional judgment that this measure would result in an immediate and 
■ ° r ffir‘int negative impact on the security of the PITC network, as well as the protection of White 
Hnusc assets and personnel. Finally the White House networks have not been breached under mv 
, h We arc utilizing industry and government recommendations to have OCISO separated fr m 
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